Add disabled-device-node-modification hook to CDI spec

This hook is not added to management specs. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2025-02-13 15:15:32 +01:00
parent 49aa5d764b
commit 9c3086de9f
5 changed files with 38 additions and 0 deletions
--- a/pkg/nvcdi/api.go
+++ b/pkg/nvcdi/api.go
@@ -44,4 +44,7 @@ const (
 	// HookEnableCudaCompat refers to the hook used to enable CUDA Forward Compatibility.
 	// This was added with v1.17.5 of the NVIDIA Container Toolkit.
 	HookEnableCudaCompat = HookName("enable-cuda-compat")
+	// HookDisableDeviceNodeModification refers to the hook used to ensure that device nodes
+	// are not created by nvidia-smi in a container.
+	HookDisableDeviceNodeModification = HookName("disable-device-node-modification")
 )
--- a/pkg/nvcdi/driver-nvml.go
+++ b/pkg/nvcdi/driver-nvml.go
@@ -115,6 +115,14 @@ func (l *nvcdilib) NewDriverLibraryDiscoverer(version string) (discover.Discover
 	updateLDCache, _ := discover.NewLDCacheUpdateHook(l.logger, libraries, l.nvidiaCDIHookPath, l.ldconfigPath)
 	discoverers = append(discoverers, updateLDCache)

+	if l.HookIsSupported(HookDisableDeviceNodeModification) {
+		updateNvidiaParams := discover.CreateNvidiaCDIHook(
+			l.nvidiaCDIHookPath,
+			"disable-device-node-modification",
+		)
+		discoverers = append(discoverers, updateNvidiaParams)
+	}
+
 	d := discover.Merge(discoverers...)

 	return d, nil
--- a/pkg/nvcdi/lib.go
+++ b/pkg/nvcdi/lib.go
@@ -146,6 +146,9 @@ func New(opts ...Option) (Interface, error) {
 		}
 		// Management containers in general do not require CUDA Forward compatibility.
 		l.disabledHooks[HookEnableCudaCompat] = true
+		// For Management containers we allow device node creation:
+		l.disabledHooks[HookDisableDeviceNodeModification] = true
+
 		lib = (*managementlib)(l)
 	case ModeNvml:
 		lib = (*nvmllib)(l)